⚡ Demo Mode — Viewing sample data from Apex Defense Systems LLC. All writes are disabled.
Skip to main content
ProgramPilot

Security Built for GovCon

DoD-adjacent compliance is different. The data is more sensitive, the regulatory requirements are more specific, and the cost of a breach or finding is measured in contract terminations — not just reputation. ProgramPilot is built with that reality in mind.

Why DoD-Adjacent Security Is Different

Government contractors handle Controlled Unclassified Information (CUI), export-controlled technical data, and financial records subject to DCAA oversight. A data breach doesn't just expose customer PII — it can trigger DFARS clause violations, contract termination for cause, and debarment proceedings.

CMMC Level 2 assessment requires demonstrating 110 security practices from NIST SP 800-171. Many of those practices — access control, audit and accountability, identification and authentication — map directly to platform-level security features, not just policy documents.

DCAA auditors have the authority to disallow costs when adequate internal controls are absent. Adequate internal controls include documented access controls, segregation of duties, and an immutable audit trail of every financial decision. ProgramPilot makes these controls automatic.

Unlike commercial SaaS environments, GovCon platforms must be able to demonstrate compliance posture at any time — not just when an assessment is scheduled. ProgramPilot's continuous compliance model means your audit trail is always current.

Data Encryption at Rest and In Transit

All data is encrypted at rest using AES-256. All data in transit is protected by TLS 1.2+. Database credentials, API keys, and secrets are stored as environment variables — never in source code. File storage uses signed, time-limited URLs scoped to individual tenants.

Row Level Security and Multi-Tenant Isolation

Every database table uses Supabase Row Level Security (RLS). Each tenant's data is isolated at the database row level — no query can return another organization's records. The service role key is used exclusively server-side and is never exposed to client-side code.

Authentication: 2FA/MFA (TOTP), SSO, RBAC

TOTP-based multi-factor authentication is available for all users and admin-enforceable for the entire organization. SSO (Okta and Azure AD) is available on Enterprise plans. Role-based access control (RBAC) assigns permissions at the contract lead, finance lead, and PM level. Emergency backup contact users can be designated by admins.

Immutable Audit Logs and Compliance Records

The DCAA audit trail is append-only and tamper-proof. Every invoice, approval decision, document event, and system action is written with a timestamp that cannot be modified or deleted. This record satisfies DCAA's requirement for a complete, verifiable audit trail. Billing-outside-PoP flags, invoice sequencing gap detection, and DCAA readiness baseline scoring are computed continuously against this log.

CUI Data Handling and DFARS Compliance Documentation

DFARS clause 252.204-7012 compliance documentation is maintained within the platform. CUI acknowledgment tracking is built into the onboarding flow and contract upload process. Access to CUI-tagged documents is restricted by RBAC and logged to the audit trail. Data residency is us-east-2.

CMMC Alignment (Level 2)

ProgramPilot is aligned to CMMC Level 2 practices including access control (AC), audit and accountability (AU), identification and authentication (IA), and system and communications protection (SC). CMMC alignment documentation is maintained per contract and exportable for assessment evidence packages. Enterprise plans include CMMC readiness consulting support.

File Malware Scanning and Magic Byte Validation

All uploaded files are validated against their declared MIME type using magic byte inspection. Files that do not match their declared type are rejected before storage. File upload paths are restricted to approved MIME types. Uploaded files are stored in tenant-scoped storage paths with no public access — all access is through signed, expiring URLs.

Rate Limiting and Brute Force Protection

All authentication endpoints are protected by per-IP rate limiting with exponential backoff. The login endpoint enforces a hard limit on failed attempts. The refresh token endpoint has a separate, stricter rate limit. API-wide rate limiting prevents abuse of all endpoints. All limits are configured server-side and cannot be bypassed by client behavior.

Secure File Storage

Files are stored in Supabase Storage with tenant-scoped bucket paths. No file is publicly accessible — all download links are signed URLs with a short expiration window. File paths include a tenant ID prefix that is enforced server-side, preventing path traversal or cross-tenant access.

OWASP Top 10 Mapped Controls

Injection (A03): Parameterized queries throughout. Broken Access Control (A01): RLS + RBAC on every route. Cryptographic Failures (A02): TLS 1.2+, AES-256 at rest. Security Misconfiguration (A05): Helmet middleware, CORS allowlist, no default credentials. Identification and Authentication Failures (A07): MFA, rate limiting, secure session management. Insecure Direct Object References: UUIDs with tenant-scoped access checks on every API endpoint.

Data Residency

All ProgramPilot data is stored in us-east-2 (AWS US East — Ohio). Data does not leave the continental United States. This residency posture supports DFARS 252.204-7012 requirements and is consistent with CUI handling obligations for DoD contractors.

Responsible Disclosure

If you discover a security vulnerability in ProgramPilot, please report it responsibly. Send a detailed description to security@programpilotai.com. We commit to acknowledging your report within 48 hours and providing a resolution timeline within 5 business days. We do not take legal action against good-faith security researchers.

Security questions before you start?

Contact our team and we'll walk you through our security posture in detail.

Get Started →